PSP之NAND教程

※本文由EZ会员rockddr翻译※

本篇教程适合那些不知道NAND及其重要性的人，而且会告诉你为什么绝不能使用他人的NAND来恢复。出于对于新手的安全操作考虑，我已经删除了教程的进阶部分。教程里绝大部分内容我都已经烂熟于心，但有可能我把一些名字和参考资料弄混了，如果有请指出来。可以的话最好给出证明。

在我们接触nand之前有几件事要清楚。我们来分成几个部分讲解
01.nand的定义
02.技术层面的划分
---A.IPL
---B.IDStorage
---C.lflash
03.提取nand
04.恢复nand
05.“一定”与“一定不”
06.相关下载

01.NAND
nand是什么？psp启动需要的所有文件都保存在psp内部的一块芯片里，而nand就是这个芯片内容的一个物理备份，包括IPL，IDStorage以及lflash。正确的使用备份的nand可以修复砖头，这表明除非有硬件损坏，不然psp永远不砖。

02.技术层面的划分
由三部分组成。IPL，IDStorage和lflash。
详细了解请点击：http://hitmen.c02.at/files/yapspd/psp_doc/chap19.html#sec19
---A. IPL介绍
IPL相当于“程序初始化加载器”，也就是说PSP启动时，预处理IPL会在nand里面搜索到IPL并且加载以实现PSP的启动。这是启动过程的第一步。接下来IPL就会加载lflash里面的内容，也就是系统固件。
据我了解，目前有5种类型的IPL
1.50
在没有任何修改的情况下，1.50的IPL可以在1.0到2.60版本的PSP上正常工作。如果你修改了IDStorage里面的key5，你就可以在1.50到3.52的PSP上加载IPL。只有TA082或者后续型号主板的老P才需要修复key5。
不幸的是如果你使用自制系统，那么IPL只可以在更高的版本下运行。这个特性在3.71M33时期被发现，即使是3.71M33也会有1.5补丁，以后也会有。
1.50简化IPL
DA修改了1.5的IPL做出来了1.5简化IPL，简化版不会检测key5是否存在，可以运行在所有的老P上，但是不适用新P。
1.50多重启动
Booster开发了1.5的多重启动IPL，你用潘多拉电池既能从记忆棒启动又能从nand直接启动。同样不能用于新P。
1.5/3.xx混合IPL
这个完全是由DA和M33小组的其他成员开发的（据我了解）。曾经作为一种功能扩展允许潘多拉电池用在新P上，因为1.5的IPL与新P无缘。混合IPL有两种版本，一种可以在新P上摸黑安装3.60m33，另一种有了屏幕显示并且新P老P都适用，由1.50/3.40/3.71组成。细节方面我不大清楚，我相信这就是应用在神电V3和V4上面的IPL。
3.xx
在3.xx固件时期，lflash的加密改变了。而且sony还改变了启动用的IPL。其中一个主要原因是因为新P即将发布，另一个原因是sony试图阻止自制软件的蔓延。但主要还是因为新P要发布。我确信这就是工作在3.71m33或更高系统下的IPL。

---B.IDStorage
这部分我不会说的太多，因为大部分人没有必要了解。但还是有一些东西需要了解。

如果你使用别人的或者不是随着psp出厂的IDStorage，你的PSP将会失去一些功能。

这些功能包括但不限于下列功能：
WIFI
UMD
自制软件
UMD VIDEO

我确信还有更多功能会失去，但是我没有完整的列表

你只需要记住：如果你用了其他人的IDStorage，psp会变砖。绝不要用别人的。

IDStorage是干什么的？

它保存着许多的key，每个key上带有psp的信息。这些信息包括：

PSP：
序列号
UMD光驱序列号
WIFI的MAC地址
key的加密
key的解密
视频的地区信息
WIFI的地区信息
原始固件版本
电量设定
显示亮度设定

由上可知，在IDStorage里面有很多对psp至关重要的信息。如果这些信息被改变，你就会把psp变成砖头。

备份IDStorage并不难，我知道至少三种方法。第一种是使用Chilly Willy的Key Cleaner，这个程序会把key提取出来保存成txt文本文件，然后可以用Chilly Willy的IDStorage Manager恢复。如果你没有神电，这个方法是你最好的选择。下面一种方法是用cory149的Des Cem M8，这是一个提取nand的程序，同时也会把key提取出来保存。选择一个程序，用它来备份你的key，以后会用到的。

一旦你弄坏了IDStorage，你就可以用上面说的软件进行恢复。三个软件都可以在集成jasOnuk制作的elf menu的神电V3/V4下运行。

---lFlash
lflash由flash0，1，2，3组成。他们都是nand的文件系统中的一个组成部分，是彼此独立的分区。每个分区都可以被立即破坏或者自己损坏。比如你psp的flash2或者flash3坏掉了，如果你不上网登陆PS商店并且下载东西，你永远也不知道flash2或3坏掉了。当你知道了，psp也就砖了。

Flash0
储存当前固件文件。这些文件被加密和符号校验。也就是说当固件安装完毕，这些文件仅仅对你的psp是加密的。
换句话说：你不能把其他人的f0文件用到你自己的psp上
唯一的例外是：你在用的是解压缩解密的rco文件，就是可以被rco editor打开的rco文件。可以用来美化主题。
Flash1
保存所有的系统设定，比如壁纸，用户名，网络设置，flash播放和其他设定。在f1里你会发现一个config.se文件，这个文件保存着恢复模式里面的设置。如果你删除这个文件，恢复模式里面的设定就会恢复默认。f1里面还有如下内容：

flash1:/dic/atok10.dic
flash1:/gps
flash1:/net/http/auth.datP
flash1:/net/http/cookie.dat
flash1:/registry/system.dreg
flash1:/registry/system.ireg
flash1:/updater/u.log
flash1:/vsh/theme/custom_theme.dat
flash1:/vsh/theme/wall**.bmp
如果你用神电V3/V4然后psp卡死在XMB，那么就是你在有主题或壁纸的情况下做了神电。接下来你需要在恢复模式里选择格式化f1。这样做不会重建上面所有的文件夹，但要确保f1里面有这样的结构。

Flash2
为PlayStation Network存放cert.dat/act.dat DRM。只有当你用psp连接ps3或者电脑来登陆PlayStation网络的时候才会出现。当安装固件的时候，f2会被神电V4备份下来。如果这个文件缺失，你就需要从头下载你之前从playstation下载过的东西。

Flash3
在3.60系统，f3被用来存储看电视功能的‘1SEG.PBP’。后来这个和其他程序一起被移动到f0里。老P的f3是空的，DA推测新P的f3会被用来保存更多的下载内容，比如Go Messenger。而老P还是把下载内容保存在记忆棒上。

每个flash区域都是NAND的一个独立分区。这些分区会因为各种原因被破坏，众所周知的原因就是在3.71m33/-2用usb连接flash。这在3.71m33-3或-4中被修复了，我不确定具体时间。安全起见，刷到3.71m33-4。若想修复这种情况，你可以用正常nand恢复，也可以用cory的NAND tool来重建分区。

03.提取nand
目前有4种工具可以提取nand。第一个就是大家都知道的第一版神电，但不能用在新P上。第二个是神电V3，第三个是神电V4。最后一个也是最好的：cory做的Des Cem M8。这个程序是目前最好的nand工具。

当提取nand的时候，碰到坏块（bad blocks）是很正常的。sony允许psp的nand存在一定百分比的坏块。

我个人见过一个全新的PSP在nand里面有三个坏块，这很平常不必担心。在这种情况下，sony加入一定数量的额外数据块来使用。我个人使用神电V3/V4来备份nand。所有程序提取出来的nand都是通用的，不用担心用某个程序提取出来的nand无法进行恢复。

04.恢复nandEZ
神电V3和V4可以用来物理恢复nand。所谓物理恢复就是说如果你备份nand的时候有坏块，那么恢复的时候就连坏块一起恢复。比如神电V3/V4就会用正常数据填充坏块。

而Cory制作的Des Cem M8是逻辑恢复nand。所谓逻辑恢复就是说在恢复过程中会检测坏块，然后不会在坏块里写入数据，而是把数据写入sony加入的额外数据块里。当然如果nand里面坏块太多就会恢复失败。

05.‘一定’和‘一定不’

一定
一定要备份nand，有机会就备份
一定不要忽视备份nand的重要性
一定要多备份几个，然后压缩，用简短易懂的名字重命名比如
3r14nd.v1.50.TA-079.Original.zip
3r14nd.v3.52.M33-4.TA-079.zipE
3r14nd.v3.71.M33-4.TA-079.zip
3r14nd.v3.80.M33-4.TA-079.zip5c
我把他们放在神奇记忆棒里面，和Des Cem M8放在同一个文件夹里

一定不
一定不要用其他人的f0文件。这些文件在别人的PSP上是加密的，不适用在你的psp上
一定不要用其他人的IDStorage还原，不然你的psp就完蛋了
一定不要用其他人的nand来恢复
但是有两个例外的nand可以用来恢复所有的psp。一个是老P的空数据nand并且分区正常。另外一个是新P的。如果你没有自己psp的key或者IDStorage就用这两个通用nand来恢复。

06.相关下载
Chilly Willy's Key Cleaner
http://forums.maxconsole.net/showthread.php?t=56265

Chilly Willy's IDStorage
http://forums.maxconsole.net/showthread.php?t=50765

Corys's Open Source Nand Tool "Des Cem M3"
http://nds.cmamod.com/2007/12/05/nandtooldescemm8-03-beta

Team C+D's Prometheus Project Pandora's Battery
http://lan.st/pandora.zip

Dark Alex's Despertar del Cementerio
http://www.dark-alex.org/

jas0nuk's Elf Menu
http://forums.maxconsole.net/showthread.php?t=83119

本篇教程由3r14nd整合，感谢Cory149, Jas0nuk, Dark_AleX和ChillyWilly。

向psp破解界的所有杰出成就致谢。这里没有必要说出名字，我感谢推动psp破解发展的每一个人。
希望这篇教程能够减少一些小白对你们的pm轰炸。

==============================================================

以下为原文。

This tutorial is for people who do not understand what the NAND is orwhy it's so important. This tutorial should also let people know whyit's so important not to use someone else's NAND dump. I have removedthe advanced section of this tutorial being that I do not want to beresponsible for people ruining their PSP.

I have made most of this from memory withoutlooking things up. I may have mixed up some names and references.Please point out any mistakes I have made. With proof If possible.

When dealing with the NAND there are several things that you need to know. We are going to break them down in several sections

01. Definition
02. Technical Breakdown
--- A. IPL
--- B. IDStorage
--- C. lflash
03. Dumping the NAND
04. Restoring the NAND
05. Do's and Dont's
06. Downloads

01. NAND Dump
What is it? Well a NAND dump is a physical back up of the chip insideyour PSP that stores all the files that the PSP needs to start up. Itcontains the IPL, the IDStorage, and the lflash. A NAND dump if usedproperly can be used to unbrick your PSP. This means that you cannotscrew up PSP unless something goes wrong hardware wise.

02. Technical Breakdown
The Nand is comprised of 3 sections. The IPL, the IDStorage, and the lflash
More To Read.

--- A. The IPLPS3
The IPL is the "Initial Program Loader" - This means when the PSPstarts up the pre-IPL looks on the NAND for the IPL and loads it. Thisis the first step in the booting process.

The IPL starts loadingeverything else off of the lflash (the firmware)
There are as of this writing and as far as I know of 5 types of IPLs
1.50
This will work on any PSP Classic from the 1.0 - 2.60 without modifyinganything. If you modify the IDStorage and change "key 5" you will beable to load it on 1.50 - 3.52. Only the Classic PSP's with the TA-082+motherboards needed to patch "key 5".
Unfortunately it will only run on the higher version firmwares if youare running a custom firmware as Sony does not allow it. This featurehas been taken out as of 3.71 M33 even though there is a 1.50 Kerneladd-on for this and newer Custom Firmwares
1.50 SimpleIPLPS
There is an IPL that was made by a character by the name of moonlightaka Dark_Alex that made a modified version of the 1.5 IPL that does notcheck to see if "key 5" in the IDStorage was there and would work onall versions of the Classic PSP. This ipl cannot be used on the slim.
1.50 Multi-Boot
A person by the name of Booster made a multi-boot ipl that allowed youto use Pandora to boot to either your memory card or boot directly fromthe NAND. This ipl cannot be used on the slim.
1.5/3.xx
This is an IPL that was made up entirely by Dark_Alex and the rest ofTeam M33(from my knowledge) This was used for an add-on feature forPandora to allow Pandora to run on the Slim because the 1.50 IPL doesnot work on the Slim. There were 2 versions of this IPL the first oneallowed the installation of 3.60 M33 on the slim without the use of thescreen. The second one does have the screen and will work on both theClassic and the slim and is comprised of 1.50/3.40/3.71 Firmwares.Specifics of it I do not have. I believe that this is what is used onDCv3/4PS3
3.xx
The encryption of the lflash changed during the 3.xx firmwares. In turnthey also changed the IPL that loads up. The main reasons for doingthis was first because the slim PSP was on the way out the door andsecond because they were trying to stop homebrew. Mainly it's becauseof the Slim PSP. I do believe that this is the IPL that runs on all3.71+ M33 custom firmwares.

--- B. IDStorage
I will not get into this too much because most people will not need toknow. However there are somethings that you need to know about it.
IF YOU USE THE IDSTORAGE OF A PSP THAT IS NOTYOURS OR DID NOT COME ON THE PSP WHEN IT WAS MADE BY SONY YOU WILLLOOSE SEVERAL FEATURES OF YOU PSP.
This is including but not limited to the following:
WIFI
UMD
Homebrew
UMD VIDEOS
I do believe there are more things that you will loose however I do not have a list of them all.

Just remember that if you use someone else's IDStorage you CAN BRICK YOUR PSP. DO NOT USE

SOMEONE ELSE'S IDStorage
What does IDStorage do
IDStorage keeps several hundred keys with information about your PSP on each key.
These keys hold information like the following:

PSPs:
Serial Number
UMD Drive Serial number
Wifi Mac Address
Encryption key's
Decryption key's
Video Region Information
Wifi Region Information
The original version of firmware that was installed on it
Battery Power settings
LCD Power settings

As you can see there are several things in your IDStorage that isspecific to your PSP. If these things change to something that they arenot supposed to be then you can and will brick your PSP.

Backing up your IDStorage is not hard. I know of at least 3 ways to doit. The first is a program called "Chilly Willy's Key cleaner" thisprogram will dump your keys for you in several .txt files for you. Theycan be restored using "Chilly Willy's IDStorage Manager".

This is thepreferred method of backing up your keys if you do not have Pandora.The next way is to use "cory149's Des Cem M8" this is a NAND dumpingprogram that also has the ability to dump your keys. Pick one of theseprograms and use them. They will come in handy later.

You can use those same programs to restore your IDStorage once you havecorrupted it. All 3 of those programs will work on DCv3/4 withjas0nuk's elf menu.

--- C. lFlash

The lflash is comprised of Flash 0, 1, 2, and 3. They are all part ofthe NANDs portion of the file system. They are each separate partitionsand each one of the can get corrupted all at once or each one bythemselves. For instance you can have a corrupted flash2 or flash3 andnever know it until you go to the PlayStation store and try to downloadsomething and next thing you know your PSP has bricked.

Flash0
Holds the actual firmware files. These files are encrypted andsig-checked. This means that when they were installed they wereencrypted just for your PSP.
In other words you cannot use someone else's flash0 files on your PSP.
The only exception to this is if you are using a decompressed and decrypted RCO file that people use when customizing thier PSP.

Flash1
Holds all of your system settings. Things like your wall** ofchoice, your PSP user name, Network settings, Flash player and othersettings. On here you will find a config.se which is the file thatholds the settings for the "recovery" menu. If you delete this filethen you will be resetting the settings for the recovery menu. You willalso find the following folder on there：

flash1:/dic/atok10.dic
flash1:/gps[
flash1:/net/http/auth.dat
flash1:/net/http/cookie.dat
flash1:/registry/system.dreg
flash1:/registry/system.ireg
flash1:/updater/u.log
flash1:/vsh/theme/custom_theme.dat
flash1:/vsh/theme/wall**.bmp

If you use DCv3/4 and your psp locks up in the xmb then you havecreated your DCv3/4 with a theme/wall ** installed and must use theformat flash1 option in the recovery menu. Doing this will not recreateall of the a fore mentioned folders. Make sure they all exist.

Flash2
Holds cert.dat/act.dat DRM stuff for the PlayStation Network. This willonly show up once you have connected your psp to a PS3 or a PC for thePlaystation Network downloads. This also gets backed up by DCv4 wheninstalling firmwares. The worst part about loosing this file is thefact you will have to redownload whatever it was you downloaded tobegin with.

Flash3
3.60 it was used to store the tv usb1seg application "1SEG.PBP". Thishas since been moved to flash0 with all other programs. On the phat pspthis is empty. Dark_AleX speculates that it will be used to store more"downloadable" content like "Go Messenger" but only on the slim wherethe classic will still use the memorystick to download it.;

Each "flash" area is a different partition on the NAND it's self. Thesepartitions have been known to get corrupted for various reasons. Themost known reason is by using the usb option on 3.71 M33 to 3.71 M33-2.This has been fixed in 3.71 M33-3 or 4 I'm not sure. Just install -4 tobe safe. To fix this you can either use a proper working NAND dump orby using cory's

NAND tool to repartition the areas.

03. Dumping the NAND.

There are 4 programs out right now that will allow for dumping of yourNAND. The first one that everyone knows is the original Pandora. Theoriginal Pandora does not run on the slim.

The second is Despertar desCementerio v3. The third is version 4. The last and greatest is cory's"Des Cem M8". Corys program is by far the best tool to use to work withyour NAND by far.

When dumping your NAND it is normal to see bad blocks appear. Sony isallowed to ship out the PSP's whose NAND has a certain percentage ofbad blocks. I have personally seen one brand new get shipped with 3 badblocks. This is normal. They include a reasonable amount of extrablocks to use in this type of situation.

I personally make my dumps with whatever version of DCv3/4 I'm using.All of the programs dumps are universal. It does not matter which oneyou make the dump with however it does matter which one you restore itwith technically.P

04. Restoring the NAND dump
Despertar Des Cementerio version 3 and 4 will restore the dumpphysically. This means if you had a bad block when dumping then it willrestore that bad block. The bad part about this is if you managed toget a new bad block since you made the dump you may not be able toproperly restore your dump. The reason being is the DCv3/4 will restoregood data to bad blocks because of the way it's restored.

Cory's Des Cem M8 will restore the dumps logically. This means it willcheck for bad blocks and will not restore good data to a bad block. Itwill in turn restore good data to the extra good blocks Sony includedfor this reason. Of course if there are too many bad blocks on the NANDthen the restore will fail.

05. Do's and Don'ts.
"DO's"
THIS IS THE MOST IMPORTANT "DO" OUT THERE.

Do make yourself a nand dump as soon as you have the opportunity.
Do not skip this. This can make or break your PSP.
Do make several backup copies of your NAND dump. Then zip it up and rename it to something you will understand. Mine are named
3r14nd.v1.50.TA-079.Original.zip
3r14nd.v3.52.M33-4.TA-079.zip
3r14nd.v3.71.M33-4.TA-079.zip
3r14nd.v3.80.M33-4.TA-079.zip
I also carry them on my Pandora stick in the folder used for corys Des Cem M8.
"DONT's"

Do Not restore someone else's Flash0 files. They are encrypted for their PSP and not yours they will not work.
Do Not restore someone else's IDStorage. It will screw up your PSP.
Do Not restore someone else's NAND dump in to your PSP.
There are exactly 2 NAND dumps I know of that are fine to restore toany PSP. One of them is a NAND Dump of a Classic PSP that containsnothing but empty data and the correct partitions. The other is theexact same thing but for the Slim. These are still not good to restoreunless you have a dump of your keys or a good dump of your IDStorage.

06. Downloads
Here are the links to Everything I have mentioned in this Tutorial
Download Chilly Willy's Key Cleaner
Download Chilly Willy's IDStorage
Download Corys's Open Source Nand Tool "Des Cem M8"
Download Team C+D's Prometheus Project Pandora's Battery
Download Dark Alex's Despertar del Cementerio
Download jas0nuk's Elf Menu

This tutorial was put together by 3r14nd. Contributions made by: Cory149, Jas0nuk, Dark_AleX, and ChillyWilly.

Thank you's are in order for all of the greatest devs of the PSP scene.You know who you are and there is no need to say names. I thank eachand everyone of you who help this scene continue.

I hope this helps with keeps some of the noobs off of your PM box for a few.

If you know of anything that should be added to this tutorial, keepin mind it's for the noobz to get to know more about the NAND and notgetting to know how to program for it, just PM me and I shall add itin.
Remember I have never stated that i'm a know it all when it comes tothe NAND just someone who has payed attention. This means there may bemistakes in this TUT just point them out and I shall correct them.